Exonerated by Community Watch?

What does it mean when Community Watch exonerates a file (e.g., Statistical Submission: Setup.exe Exonerated)?  Does it mean the file was once considered suspicious but has since been exonerated?  Or does it mean the file is now considered suspicious but there is not enough information to convict it? In other words is it a good or bad sign for the file?

What does it mean when Community Watch exonerates a file (e.g., Statistical Submission: Setup.exe Exonerated)?  Does it mean the file was once considered suspicious but has since been exonerated?  Or does it mean the file is now considered suspicious but there is not enough information to convict it? In other words is it a good or bad sign for the file?

Hello car 825

 

Welcome to the Norton Community Forum

 

I saw this occurance just today as I upgraded to NIS 2012.  It means that a file that was once considered as suspicious is now considered as ok. It is a good sign for the file..


floplot wrote:

I saw this occurance just today as I upgraded to NIS 2012.  It means that a file that was once considered as suspicious is now considered as ok. It is a good sign for the file..


I think the question is: if Norton has already exonerated the file, why is it now being submitted to Norton Community Watch?  Exoneration implies the file has been previously classified as suspicious or worse, and has since been acquitted, so presumably there would be no need to resubmit the file for further analysis via NCW.  I thought NCW submissions are usually new, unknown files that Symantec wants to take a look at, so I am curious about these exonerated file submissions, as well.

Hello

 

In my case, I don't really know why they would want to have the statistical submission again sent in. I just installed NIS 2012 and they had been exonerated yet with NIS 2011. This time though they were found in my backup drive and were submitted a 2nd time from that drive. The first time they were exonerated with NIS 2011, they were from the drive where I keep those files.. I guess since mine was a new install of NIS 2012, they are resubmitting files that were already exonerated since they are submitting I think every file in my computer. Mine were all statistical submissions of exonerated files.

 

I did do a clean install of NIS 2012 after using the control panel method and 1 run of the NRT because I had been having some problems with NIS 2011.


SendOfJive wrote:

floplot wrote:

I saw this occurance just today as I upgraded to NIS 2012.  It means that a file that was once considered as suspicious is now considered as ok. It is a good sign for the file..


I think the question is: if Norton has already exonerated the file, why is it now being submitted to Norton Community Watch?  Exoneration implies the file has been previously classified as suspicious or worse, and has since been acquitted, so presumably there would be no need to resubmit the file for further analysis via NCW.  I thought NCW submissions are usually new, unknown files that Symantec wants to take a look at, so I am curious about these exonerated file submissions, as well.


It would be appreciated if a Symantec Employee could provide a definitive answer to my original question and SendOfJive’s quoted question. To restate the original question:

 

What does it mean when Community Watch exonerates a file (e.g., Statistical Submission: Setup.exe Exonerated)? Does it mean the file was once considered suspicious but has since been exonerated? Or does it mean the file is now considered suspicious but there is not enough information to convict it? In other words is it a good or bad sign for the file?

I agree with car825's last post.

 

There are couple of valid points here regarding the actual definition of "exonerated," aside from the legal def. :smileywink:

I can't find any additional information on this, so a Developer/QA answer would help quite a bit.

 

If the malware doesn't fit, you must acquit. :smileyhappy:

 

Atomic_Blast :)

It really would be good if someone from Symantec could definitively answer these questions.  The information is in the Community Watch log but people don’t understand what it means.

Is there anyone who can answer these questions?


car825 wrote:

SendOfJive wrote:

floplot wrote:

I saw this occurance just today as I upgraded to NIS 2012.  It means that a file that was once considered as suspicious is now considered as ok. It is a good sign for the file..


I think the question is: if Norton has already exonerated the file, why is it now being submitted to Norton Community Watch?  Exoneration implies the file has been previously classified as suspicious or worse, and has since been acquitted, so presumably there would be no need to resubmit the file for further analysis via NCW.  I thought NCW submissions are usually new, unknown files that Symantec wants to take a look at, so I am curious about these exonerated file submissions, as well.


It would be appreciated if a Symantec Employee could provide a definitive answer to my original question and SendOfJive’s quoted question. To restate the original question:

 

What does it mean when Community Watch exonerates a file (e.g., Statistical Submission: Setup.exe Exonerated)? Does it mean the file was once considered suspicious but has since been exonerated? Or does it mean the file is now considered suspicious but there is not enough information to convict it? In other words is it a good or bad sign for the file?


I'll try and answer this for you based on what I've observed with this feature. First up though, Norton should consider dropping the word 'Exonerated' from the Statistical Submission text because it can lead the user to mistakenly assume that the file in question is safe to run when it actual fact, it may not be...

 

The 'Exonerated' state comes about when a heuristic scan detects that a file has some threat-like characteristics but not enough to convict it outright. The heuristic scanning process is controlled via the following setting:

 

Settings > Computer > Computer Scan > Heuristic Protection

 

The NIS Online Help describes this feature as follows:

 

"Norton Internet Security uses heuristic technology to check suspicious characteristics of a file to categorize it as infected. It compares the characteristics of a file to a known infected file. If the file has sufficient suspicious characteristics, then Norton Internet Security identifies the file as infected with a threat."

 

As I mentioned in this post, the 'Exonerated' status only applies at the specific date/time that the file was scanned and does not extend beyond this. As you saw in that post, the status of the files in question quickly went from being 'exonerated' to being assessed as hostile files containing ''Downloader.Dromedan'.

 

The bottom line here is that you should err on the side of caution with these 'exonerated' files and do some research before executing them. The first Full System Scan after NIS is installed usually identifies a number of files with 'exonerated' status. For example, some game EXE files or game uninstaller applications tend to fall into this category. If you have any third-party on-demand scanners installed, scan the file with them. Norton File Insight can also assist with confirming whether or not a file is currently considered safe

 

To check your 'setup.exe' file, proceed as follows:

 

  1. Locate your setup.exe file using Windows Explorer.
  2. Right-click on the file and choose Norton File Insight.
  3. Review the trust rating, file maturity and usage information.

If you are familiar with Virus Total, then you can do a search there to see if your setup.exe file has already been uploaded there for cross-checking:

 

  1. In the Norton File Insight window that you opened above, click 'Copy to Clipboard'
  2. Open Notepad and paste the information.
  3. The are two File Thumbprint sections at the bottom of this information (SHA and MD5). Select one of them and copy it to the clipboard.
  4. Click http://www.virustotal.com/search.html and paste the value into the search box and click Search.

If the file has already been uploaded, you will be presented with a list of scan results from other antivirus software vendors. If it hasn't, you can always upload the file to Virus Total yourself for checking.

 

Hope this helps. 

The description for one of the Community Watch log entries says Statistical Submission: WS.Trojan.H Exonerated.  It is followed by a string of numbers in the Submission Details section. No file name is given. What does that mean?  How do you research it without a file name?  Thanks for your help with this.

Hello car825

Respectfully, if you have any lingering concerns regarding your system. 

You may be well served by visiting a free Malware Removal site.

An "All Clean" from experts always helps me when I have concerns.

I've visited with Bleeping Computer and What The Tech

I'm partial to Bleeping Computer's Forum ~ Am I Infected?

Other free Malware Removal sites - (credit Delphinium for links)

http://www.geekstogo.com/forum/

 

http://www.cybertechhelp.com/forums/

 

http://forums.whatthetech.com/

 

http://support.emsisoft.com/forum/6-help-my-pc-is- infected/

 

Thanks

 


bjm_ wrote:

Hello car825

Respectfully, if you have any lingering concerns regarding your system. 

You may be well served by visiting a free Malware Removal site . . .

 

 

Thanks

 


My concern is that I’m getting mixed messages from this forum.  On one hand I’m being told I can safely ignore all the entries in the Community Watch log (even the alarming ones) and assume that my system is safe if the Norton System Status says Safe and is green. On the other hand, I’m being told that I should not ignore them.  Which one is it?  I would be happy if I could just ignore them.  This way Symantec doesn’t have to explain what they mean and I can forget it.  But if they do require research, then it’s only fair that Symantec explain what they mean.

 

HI car825,

 

Norton Community Watch submits files of interest to Symantec for analysis.  None of these are known to be malicious.  If they were, they would be removed from your system.  NCW is not a protection component, like Auto-Protect or SONAR.  It is simply a tool to allow Symantec to obtain and evaluate previously unseen files in the wild.  Inclusion in a NCW submission is not an indication that a file is malicious, and so you should not draw any conclusions about the files from this.

Hello car825

I've searched my Norton Community Watch history.  I did not find WS.Trojan.H

I appreciate your concerns and sense your frustration. 

In a perfect world we would all be issued a Symantec to native language manual / dictionary.

The Norton Community is a user to user help venue.

The Symantec employees that participate as you know are volunteers.

Hopefully, a Symantec employee will chime in to satisfy your concerns.

I am also curious about these exonerated file submissions.

You can persist and wait for a Symantec employee volunteer to post a reply.

You can present your concerns to Symantec directly via Live Chat.

You can start a Topic at one the Malware Removal sites. 

I always feel better getting an "All Clean" from experts.

You wrote: No file name is given.  How do you research it without a file name?  IDK :smileysad:

I usually naively trust that Symantec is doing the research. 

When that does not satisfy me.  I'll get a second opinion from Bleeping.

Thanks

 

 


car825 wrote:

 

The description for one of the Community Watch log entries says Statistical Submission: WS.Trojan.H Exonerated.  It is followed by a string of numbers in the Submission Details section. No file name is given. What does that mean?  How do you research it without a file name?  Thanks for your help with this.


Interesting. Does your 'WS.Trojan.H Exonerated' log entry look like the one below? Are you seeing a row of underscore characters where the file name should be (________)? If it's different, then right-click on the log entry, select copy and paste the details into your next post.

 

I have six entries like the one below. I'll see if there is anything else in the log that can shed some light on this.

 

DescriptionStatistical Submission: Suspicious.Cloud.7.L Exonerated
Submission Details___________________________ 
Detection Digest:
03 00 EA AF 0F 01 00 02 00 00 00 00 00 83 AC 71 ...............q  92 99 D5 F2 DB 00 00 00 00 4D 15 DD 6A 04 03 00 .........M..j...  00 32 19 03 05 00 01 02 02 00 00                .2......... 

 

Please confirm.

Thanks
 

Hi car825:

 

I have re-enabled NCW on my NIS 2012 boxes to evaluate what is being posted here.

 

However, the post by SendOfJive (post #14 in this thread) sums it all up pretty well.

It's the "exoneration" part for my technical curiosity, that really interests me.

 

Let's see what I come up with.

 

Best wishes,

 

Atomic_Blast :)


elsewhere wrote:

car825 wrote:

 

The description for one of the Community Watch log entries says Statistical Submission: WS.Trojan.H Exonerated.  It is followed by a string of numbers in the Submission Details section. No file name is given. What does that mean?  How do you research it without a file name?  Thanks for your help with this.


Interesting. Does your 'WS.Trojan.H Exonerated' log entry look like the one below? Are you seeing a row of underscore characters where the file name should be (________)? If it's different, then right-click on the log entry, select copy and paste the details into your next post.

 

I have six entries like the one below. I'll see if there is anything else in the log that can shed some light on this.

 

DescriptionStatistical Submission: Suspicious.Cloud.7.L Exonerated
Submission Details___________________________ 
Detection Digest:
03 00 EA AF 0F 01 00 02 00 00 00 00 00 83 AC 71 ...............q  92 99 D5 F2 DB 00 00 00 00 4D 15 DD 6A 04 03 00 .........M..j...  00 32 19 03 05 00 01 02 02 00 00                .2......... 

 

Please confirm.

Thanks
 


My Community Watch log entry for WS.Trojan.H Exonerated had one underscore followed by a string of numbers and letters where the file name should have been.


Atomic_Blast wrote:

Hi car825:

 

I have re-enabled NCW on my NIS 2012 boxes to evaluate what is being posted here.

 

However, the post by SendOfJive (post #14 in this thread) sums it all up pretty well.

It's the "exoneration" part for my technical curiosity, that really interests me.

 

Let's see what I come up with.

 

Best wishes,

 

Atomic_Blast :)


Try running a full system scan and then checking the log.  That's when the WS.Trojan.H Exonerated Community Watch log entries appeared in my log.  The scan itself was clean.  No problems were found.

Hello Car

 

I have the same type of entries as you have after my Idle Full System Scan ran on Sat. There were a whole bunch of exonerated files of different sorts. I remember the same files being exonerated in NIS 2011 also. They are just statistical submissions so that the rules can be adjusted.